Dailydave mailing list archives
Re: Something funny
From: Nate Lawson <nate () root org>
Date: Mon, 12 Apr 2010 13:25:04 -0700
dave wrote:
So people like to point at Palladium (and NGTCB, etc.) as "solving all our problems". Mostly Palladium solved the RIAA's problems, and it required a global-PKI, which is why no one went for it, possibly? In any case, as an attacker we look forward to the future NGTCB, mostly because we can sign and seal our trojans to particular machines, and make them impossible to RE or get memory forensics on. I've asked Gustavo Scotti to look into it, which means it'll probably be done by the time people enable their TPM bios's. :>
It doesn't work that way. Your code will be running unprotected in RAM so a RAM dump will get all its keys. The model is exactly the same as software protection today (i.e. you're only as good as your obfuscation). Even if you seal your decryption key using the TPM, it will be providing the decrypted key back to your trojan which either 1. stores the key in RAM or 2. decrypts itself and stores its code in RAM. The only thing a TPM would prevent is copying the encrypted trojan to another machine (cold) and trying to execute it there. But if you grabbed a RAM snapshot after it was running, you could debug at will. For some background, there were 3 players in trusted computing: - Palladium/NGSCB (Microsoft) - LT/TXT (Intel) and Pacifica/SVM (AMD) - TPM (ST, National Semi, etc.) The commonly-espoused plan of pervasive DRM, end of viruses, etc. circa 2002 was Microsoft's. They wanted a platform to make the PC the center of the digital living room and Windows Media DRM the central distribution system for commercial video and audio. More control of it would help them gain access to high-def content, which studios were protective of. The second group of players worked with Microsoft but their goals were broader. While media center PC's have always been an Intel objective, they also have business customers who would like auditable boot. So TXT alone is not enough to do DRM. The third group is an open alliance that just wants another market for existing smart card chips. So the TPMs are all just repackaged smart cards sitting on the LPC bus. After all the sturm and drang of 2002, things sort of died out, publicly. Microsoft dropped NGSCB. They also dropped trusted path (the encrypted USB and video). Instead, they privately pursued the separate objectives through COPP and Vista. http://www.microsoft.com/resources/ngscb/documents/NGSCBhardware.doc The new future is CPUs with integrated HDCP, such as Arrandale. Your video and audio will never leave the CPU. This doesn't help with your trojan, which really only uses the TPM component. http://www.brighthub.com/computing/hardware/articles/26522.aspx -- Nate _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Something funny dave (Apr 12)
- Re: Something funny Nate Lawson (Apr 12)